Incident and Recovery Plan

- Incident Plan first handling such as extinguish fire, evacuation of employees etc.
- Recovery Plan bridging the situation due to the fact that it takes longer than the fixed MAO
- Restoration Plan back to normal condition

If I have read correctly the E-Book of Dejan Kosutic, there is the Incident Plan for handling & bridging as well as the recovery plan for going back to normal condition. Which assumption is correct?

Answer:

Considering ISO 22301, you should consider these plans:
- incident response plans, with emergency actions to be performed right after the disruption being identified;
- recovery plans, with continuity actions to bring infrastructure and activities back to minimum agreed levels;
- restoration plans, with actions to bring activities back to normal operations.

These materials will provide you further explanation about elements of a business continuity plan:
- Business continuity plan: How to str ucture it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
- How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
- Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/

We've received further question:

> I’m still confused. On one hand your colleague confirms my assumption of 3 plans (incident, recovery, restoration) but in your explanation you mention only 2 plans:
>According to those standards, the business continuity plans should consist of (1) incident response plan, and (2) recovery plans. An incident response plan is usually a single plan written for the whole organization, and describes what has to be done immediately after a disaster occurs – reducing the effects of the incident, communicating to emergency services, evacuating the building, gathering at assembly points, organizing transport to alternative locations etc.

>Does that mean that recovery and restoration are included both into the recovery plan (per activity)?

Answer:

First of all, sorry for this confusion. Considering the e-book, Becoming Resilient, on section 6.9 - Business continuity plan (clause 8.4) you can find that a business continuity plan consists of the following documents:
- Business continuity plan (BCP) – the main document which describes general pro cedures and responsibilities
- Incident response plan – a section or appendix of BCP that describes how to initially respond to a particular incident
- Disaster recovery plan (DRP) – a section or appendix of BCP that describes how to recover IT and communications infrastructure
- Recovery plan – a section or appendix of BCP that describes how to recover activities
- Restoration plan – a section or appendix of BCP that describes how to get activities back to business as usual
As you can see, since most of these documents have different purposes, it is best they can be separated documents to avoid add more confusion during a disruptive situation (users should get in hand only the information they need for their purposes at the moment).

The exception is the Restoration. It can be merged into the general BCP since it is not used during the disruption.

Many thanks, now everything is clear :-)